search

cds-snc / url-shortener

An API written in Python that shortens URLs
MIT License
4 stars 0 forks source link

fix: use SRE Bot to post Slack notifications #429

Closed patheard closed 11 months ago

patheard commented 11 months ago

Summary

Update to use the SRE Bot to post CloudWatch alarm Slack notifications.

github-actions[bot] commented 11 months ago

Staging: alarms

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 2 to add, 0 to change, 9 to destroy
Show summary | CHANGE | NAME | |----------|-------------------------------------------------------------------------------------| | delete | `module.cloudwatch_alarms_slack.aws_cloudwatch_log_group.notify_slack_lambda` | | | `module.cloudwatch_alarms_slack.aws_iam_policy.notify_slack_lambda` | | | `module.cloudwatch_alarms_slack.aws_iam_role.notify_slack_lambda` | | | `module.cloudwatch_alarms_slack.aws_iam_role_policy_attachment.notify_slack_lambda` | | | `module.cloudwatch_alarms_slack.aws_lambda_function.notify_slack` | | | `module.cloudwatch_alarms_slack.aws_lambda_permission.notify_slack[0]` | | | `module.cloudwatch_alarms_slack.aws_lambda_permission.notify_slack[1]` | | recreate | `aws_sns_topic_subscription.alert_warning` | | | `aws_sns_topic_subscription.alert_warning_us_east` |
Show plan ```terraform Resource actions are indicated with the following symbols: - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # aws_sns_topic_subscription.alert_warning must be replaced -/+ resource "aws_sns_topic_subscription" "alert_warning" { ~ arn = "arn:aws:sns:ca-central-1:843973686572:cloudwatch-alarms-warning:f89e951e-8f4b-4799-958b-e7fd11ce4067" -> (known after apply) ~ confirmation_was_authenticated = true -> (known after apply) # Warning: this attribute value will be marked as sensitive and will not # display in UI output after applying this change. ~ endpoint = (sensitive value) # forces replacement + filter_policy_scope = (known after apply) ~ id = "arn:aws:sns:ca-central-1:843973686572:cloudwatch-alarms-warning:f89e951e-8f4b-4799-958b-e7fd11ce4067" -> (known after apply) ~ owner_id = "843973686572" -> (known after apply) ~ pending_confirmation = false -> (known after apply) ~ protocol = "lambda" -> "https" # forces replacement # (4 unchanged attributes hidden) } # aws_sns_topic_subscription.alert_warning_us_east must be replaced -/+ resource "aws_sns_topic_subscription" "alert_warning_us_east" { ~ arn = "arn:aws:sns:us-east-1:843973686572:cloudwatch-alarms-warning:badf8bc9-2da2-4875-af2e-4e24a4c98d0b" -> (known after apply) ~ confirmation_was_authenticated = true -> (known after apply) # Warning: this attribute value will be marked as sensitive and will not # display in UI output after applying this change. ~ endpoint = (sensitive value) # forces replacement + filter_policy_scope = (known after apply) ~ id = "arn:aws:sns:us-east-1:843973686572:cloudwatch-alarms-warning:badf8bc9-2da2-4875-af2e-4e24a4c98d0b" -> (known after apply) ~ owner_id = "843973686572" -> (known after apply) ~ pending_confirmation = false -> (known after apply) ~ protocol = "lambda" -> "https" # forces replacement # (4 unchanged attributes hidden) } # module.cloudwatch_alarms_slack.aws_cloudwatch_log_group.notify_slack_lambda will be destroyed # (because aws_cloudwatch_log_group.notify_slack_lambda is not in configuration) - resource "aws_cloudwatch_log_group" "notify_slack_lambda" { - arn = "arn:aws:logs:ca-central-1:843973686572:log-group:/aws/lambda/url-shortener-cloudwatch-alarms-slack" -> null - id = "/aws/lambda/url-shortener-cloudwatch-alarms-slack" -> null - name = "/aws/lambda/url-shortener-cloudwatch-alarms-slack" -> null - retention_in_days = 14 -> null - skip_destroy = false -> null - tags = { - "CostCentre" = "url-shortener-staging" } -> null - tags_all = { - "CostCentre" = "url-shortener-staging" } -> null } # module.cloudwatch_alarms_slack.aws_iam_policy.notify_slack_lambda will be destroyed # (because aws_iam_policy.notify_slack_lambda is not in configuration) - resource "aws_iam_policy" "notify_slack_lambda" { - arn = "arn:aws:iam::843973686572:policy/NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - id = "arn:aws:iam::843973686572:policy/NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - name = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - path = "/" -> null - policy = jsonencode( { - Statement = [ - { - Action = [ - "logs:PutLogEvents", - "logs:CreateLogStream", ] - Effect = "Allow" - Resource = "arn:aws:logs:ca-central-1:843973686572:log-group:/aws/lambda/url-shortener-cloudwatch-alarms-slack" - Sid = "" }, ] - Version = "2012-10-17" } ) -> null - policy_id = "ANPA4JAGAOUWJ7P66XDQI" -> null - tags = {} -> null - tags_all = {} -> null } # module.cloudwatch_alarms_slack.aws_iam_role.notify_slack_lambda will be destroyed # (because aws_iam_role.notify_slack_lambda is not in configuration) - resource "aws_iam_role" "notify_slack_lambda" { - arn = "arn:aws:iam::843973686572:role/NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - assume_role_policy = jsonencode( { - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "lambda.amazonaws.com" } - Sid = "" }, ] - Version = "2012-10-17" } ) -> null - create_date = "2023-02-27T22:28:07Z" -> null - force_detach_policies = false -> null - id = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - managed_policy_arns = [ - "arn:aws:iam::843973686572:policy/NotifySlackLambda-url-shortener-cloudwatch-alarms-slack", ] -> null - max_session_duration = 3600 -> null - name = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - path = "/" -> null - role_last_used = [ - { - last_used_date = "2023-05-25T21:22:45Z" - region = "ca-central-1" }, ] -> null - tags = {} -> null - tags_all = {} -> null - unique_id = "AROA4JAGAOUWLUWW2FR3Y" -> null } # module.cloudwatch_alarms_slack.aws_iam_role_policy_attachment.notify_slack_lambda will be destroyed # (because aws_iam_role_policy_attachment.notify_slack_lambda is not in configuration) - resource "aws_iam_role_policy_attachment" "notify_slack_lambda" { - id = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack-20230227222808083300000001" -> null - policy_arn = "arn:aws:iam::843973686572:policy/NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - role = "NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null } # module.cloudwatch_alarms_slack.aws_lambda_function.notify_slack will be destroyed # (because aws_lambda_function.notify_slack is not in configuration) - resource "aws_lambda_function" "notify_slack" { - architectures = [ - "x86_64", ] -> null - arn = "arn:aws:lambda:ca-central-1:843973686572:function:url-shortener-cloudwatch-alarms-slack" -> null - code_signing_config_arn = "" -> null - description = "Lambda function to post CloudWatch alarm notifications to a Slack channel." -> null - filename = "/tmp/notify_slack.py.zip" -> null - function_name = "url-shortener-cloudwatch-alarms-slack" -> null - handler = "notify_slack.lambda_handler" -> null - id = "url-shortener-cloudwatch-alarms-slack" -> null - image_uri = "" -> null - invoke_arn = "arn:aws:apigateway:ca-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:ca-central-1:843973686572:function:url-shortener-cloudwatch-alarms-slack/invocations" -> null - kms_key_arn = "" -> null - last_modified = "2023-04-24T17:58:59.502+0000" -> null - layers = [] -> null - memory_size = 128 -> null - package_type = "Zip" -> null - publish = false -> null - qualified_arn = "arn:aws:lambda:ca-central-1:843973686572:function:url-shortener-cloudwatch-alarms-slack:$LATEST" -> null - qualified_invoke_arn = "arn:aws:apigateway:ca-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:ca-central-1:843973686572:function:url-shortener-cloudwatch-alarms-slack:$LATEST/invocations" -> null - reserved_concurrent_executions = -1 -> null - role = "arn:aws:iam::843973686572:role/NotifySlackLambda-url-shortener-cloudwatch-alarms-slack" -> null - runtime = "python3.8" -> null - signing_job_arn = "" -> null - signing_profile_version_arn = "" -> null - skip_destroy = false -> null - source_code_hash = "iC0Ta5b8fs9u6i/c3LA3/Tk8BUHfS6Jgq4NF8At0CBo=" -> null - source_code_size = 1613 -> null - tags = { - "CostCentre" = "url-shortener-staging" } -> null - tags_all = { - "CostCentre" = "url-shortener-staging" } -> null - timeout = 30 -> null - version = "$LATEST" -> null - environment { - variables = { - "LOG_EVENTS" = "True" - "PROJECT_NAME" = "url-shortener" - "SLACK_WEBHOOK_URL" = (sensitive value) } -> null } - ephemeral_storage { - size = 512 -> null } - tracing_config { - mode = "PassThrough" -> null } } # module.cloudwatch_alarms_slack.aws_lambda_permission.notify_slack[0] will be destroyed # (because aws_lambda_permission.notify_slack is not in configuration) - resource "aws_lambda_permission" "notify_slack" { - action = "lambda:InvokeFunction" -> null - function_name = "url-shortener-cloudwatch-alarms-slack" -> null - id = "AllowExecutionFromSNS-url-shortener-cloudwatch-alarms-slack-0" -> null - principal = "sns.amazonaws.com" -> null - source_arn = "arn:aws:sns:ca-central-1:843973686572:cloudwatch-alarms-warning" -> null - statement_id = "AllowExecutionFromSNS-url-shortener-cloudwatch-alarms-slack-0" -> null } # module.cloudwatch_alarms_slack.aws_lambda_permission.notify_slack[1] will be destroyed # (because aws_lambda_permission.notify_slack is not in configuration) - resource "aws_lambda_permission" "notify_slack" { - action = "lambda:InvokeFunction" -> null - function_name = "url-shortener-cloudwatch-alarms-slack" -> null - id = "AllowExecutionFromSNS-url-shortener-cloudwatch-alarms-slack-1" -> null - principal = "sns.amazonaws.com" -> null - source_arn = "arn:aws:sns:us-east-1:843973686572:cloudwatch-alarms-warning" -> null - statement_id = "AllowExecutionFromSNS-url-shortener-cloudwatch-alarms-slack-1" -> null } Plan: 2 to add, 0 to change, 9 to destroy. Warning: Argument is deprecated with module.athena_bucket.aws_s3_bucket.this, on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_lifecycle_configuration resource instead (and 3 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```
Show Conftest results ```sh WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.url_shortener_api_error"] WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.url_shortener_api_warning"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cloudfront_ddos"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.route53_ddos"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shoretener_api_high_magic_link_sent"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shoretener_api_suspicious"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shoretener_api_warning"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shortener_api_error"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_health_check.url_shortener"] 25 tests, 16 passed, 9 warnings, 0 failures, 0 exceptions ```